Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
50s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2022, 15:36
Static task
static1
General
-
Target
bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe
-
Size
375KB
-
MD5
4c3c21b3ccc6c66715e0a3706c324769
-
SHA1
2cb4e1fd586bf9d4c51ec3712249039270fce1a8
-
SHA256
bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff
-
SHA512
c40be4367c8769f3ea60bf0e64d475272c85125026d46532962dd1844e7c91b438679861db9f588a2f3378b8e11290ca8bf85e3f5270b9a633f239296c42259f
-
SSDEEP
6144:Sv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:S4VOiF1WD7kE1dTYOi8V5u23zmWFy4
Malware Config
Signatures
-
Gh0st RAT payload 8 IoCs
resource yara_rule behavioral1/memory/2524-135-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2524-136-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2524-138-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4148-148-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/4148-150-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/376-155-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/376-156-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/376-158-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
pid Process 4148 SQLSerasi.exe 376 SQLSerasi.exe -
resource yara_rule behavioral1/memory/2524-132-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2524-135-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2524-136-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2524-138-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4148-148-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/4148-150-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/376-151-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/376-155-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/376-156-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/376-158-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2524 bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe Token: SeDebugPrivilege 4148 SQLSerasi.exe Token: SeDebugPrivilege 376 SQLSerasi.exe Token: SeDebugPrivilege 376 SQLSerasi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2524 wrote to memory of 4148 2524 bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe 84 PID 2524 wrote to memory of 4148 2524 bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe 84 PID 2524 wrote to memory of 4148 2524 bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe"C:\Users\Admin\AppData\Local\Temp\bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376 -
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵PID:3792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 376 -ip 3761⤵PID:4376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.9MB
MD59885584bc24b2ca9b1b5be304df91eb2
SHA1f7ed402df185df63e929f8932d941a07e434987d
SHA256b62e06a57afe1f06e78fcc78232e63a93bbc60eb0826f47b9c6a4ebf0620217b
SHA512d66a3c45a1683c0981791714ed7350742fffeb8cfcfa4847f7751a05283f9d1d179c23155186826ca1454358f13c4220af405d43119e7eef64df7dd47c5f8622
-
Filesize
14.5MB
MD54d684f7b7a9ed3f1fcb4cc6d9e111fa8
SHA1f0022450bde02e9319f6ca375b532000ed570594
SHA25633da6389ac63afff45ba9fd802c8bd8fef692c0ba866028fd92ee8296c53153c
SHA5129530a4b23e1aed12d0cd5c2a661e05d7c1bfc24d59b38349952371799c046f32f642874b9e091d77c03e7508972cb346aa23e4528ec4f70ebb6deaf093ce5f93
-
Filesize
10.5MB
MD5f3d68a8950e2e28db4a29acabd4bcdda
SHA144adf72df247f2e504f846946af2f35ec6a92e76
SHA2563ddcf6c6743923c2702624665956340acf878c919d0f86111900bca9def06da6
SHA51279bca69324e95e602f5a7db50601c4477057f78e4f531a123860f4a5d50d4f148751f4563783d35f8960c2cb4204f10be20d18028d226f977ef4e8a2800f9379
-
Filesize
1.2MB
MD593546a226469359cef90cf8844221bc1
SHA186b682dcb96b23ee4b600397a2c2f8d986e4b861
SHA2563a0987941bb3d1a4f33e8e1cc9c756a21650e19b3e5135be3d2f5f4bc83626da
SHA51215666e8249acaf9146da11ca1b1babeeba3f709de3e4829c485e4a248616a5061355e569f3cb5ef8065eb3dd466f23d36cc3cc29b8f33ecca2caa99a1506bc60
-
Filesize
1024KB
MD50228c07eedfaca989b2a02a4118ca7ed
SHA120cf3730fa7b56edbb8b2048733dff5758f25af5
SHA256ff691f88ef3ace14ff7f50dc725ef5b8c8896e62ae792249369b15a982b599a8
SHA5128dbea8f39bd85d4979a1cee1ce9efd6dcacd10096f2a1a3bc7fcc1997521a636017b58d5c472260f21810cd8f6b47aa38b4468cfc07ef14b3340455c8e681f82